Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • New York expands consumer protections

    State Issues

    On November 8, the New York governor signed several pieces of legislation relating to consumer protection. Among those, S.153 /A.2832 enacts The Consumer Credit Fairness Act, which expands consumer protections against abusive debt collection by, as explained by NYDFS acting Superintendent Adrienne A. Harris, “address[ing] known predatory debt collection practices, barring an abusive common tactic engaged by predatory debt collectors which is to sue on time-barred consumer debts for which they lack even the most basic of documentation.” Certain parts of the Consumer Credit Fairness Act are effective immediately. S.4823/A.3359, effective 30 days after being signed into law, prohibits utility companies from engaging in harassment, oppression, or abuse when coordinating with a residential customer. According to the press release, this legislation responds “to various unscrupulous practices that utility corporations engage in, such as creating a ‘payment agreement’ with customers that encourage customers to take large down payments in exchange for utilities such as energy not being shut down.” S.1199/A.5838 requires the Public Service Commission to have at least one member who is an expert in consumer advocacy. It will also go into effect 30 days after being signed into law.

    State Issues NYDFS Consumer Finance Debt Collection New York Consumer Protection State Legislation

    Share page with AddThis
  • SEC proposes amendments to electronic filing requirements


    On November 4, the SEC announced two proposed amendments (Updating EDGAR Filing Requirements and Electronic Submission of Applications for Orders under the Advisers Act and the Investment Company Act, Confidential Treatment Requests for Filings on Form 13F, and Form ADV-NR; Amendments to Form 13F), which update electronic filing requirements. These proposed amendments are intended to increase efficiency, transparency, and operational resiliency by modernizing how information is submitted to the SEC and disclosed. The proposed rule and form amendments would require, among other things, certain forms to be filed or submitted electronically and would make technical amendments to certain forms to require structured data reporting and eliminate outdated references. According to the SEC, the Commission currently allows, and at times requires, certain forms to be filed or submitted in paper format. The SEC also noted that publicly filed electronic submissions would be more readily accessible to the public and would be available in a searchable format on the SEC’s website. The public comment period will be open for 30 days after publication in the Federal Register.

    The same day, the SEC published a fact sheet clarifying, among other things, how the rule applies and what is required under the proposed amendments. According to a statement released by SEC Chair Gary Gensler, “just as we are hoping to update our rules for market participants in the face of rapidly changing technology, it’s also important that we update our rules to make filing obligations more efficient.”

    Securities SEC EDGAR Fintech Federal Register Agency Rule-Making & Guidance

    Share page with AddThis
  • Treasury and DOJ announce sanctions and charges in ransomware attacks

    Financial Crimes

    On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13694 as amended against two ransomware operators and a virtual currency exchange network. According to OFAC, the virtual currency exchange, and its associated support network, are being designated for allegedly facilitating financial transactions for ransomware actors. OFAC is also designating two individuals allegedly associated with perpetuating ransomware incidents against the U.S., and who are part of a cybercriminal group that has engaged in ransomware activities and has received over $200 million in ransom payments. As a result of the sanctions, “all property and interests in property of the designated targets that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them” and “any entities 50 percent or more owned by one or more designated persons are also blocked.” According to OFAC, the sanctions are a part of a set of actions focused on disrupting criminal ransomware actors and virtual currency exchanges that launder the proceeds of ransomware, which “advance the Biden Administration’s counter-ransomware efforts to disrupt ransomware infrastructure and actors and address abuse of the virtual currency ecosystem to launder ransom payments.” Additionally, the DOJ announced charges against the sanctioned individuals under OFACs designations, seizing approximately $6.1 million in alleged ransomware payments.

    The same day, FinCEN issued an advisory, which updated and replaced its October 1, 2020 Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (covered by InfoBytes here). The updated advisory is in response to the recent increase in ransomware attacks against critical U.S. infrastructure. The updated advisory also reflects information released by FinCEN in its Financial Trend Analysis Report, which discusses ransomware trends and includes information on current trends and typologies of ransomware and associated payments as well as recent examples of ransomware incidents. Additionally, the updated advisory describes financial red flag indicators of ransomware-related illicit activity to assist financial institutions in identifying and reporting suspicious transactions related to ransomware payments, consistent with obligations under the Bank Secrecy Act.

    Financial Crimes Department of Treasury OFAC Of Interest to Non-US Persons OFAC Designations OFAC Sanctions FinCEN Privacy/Cyber Risk & Data Security Bank Secrecy Act DOJ Ransomware

    Share page with AddThis
  • Illinois enacts the Protecting Household Privacy Act

    Privacy, Cyber Risk & Data Security

    Earlier this year, the Illinois governor signed HB 2553 to create the Protecting Household Privacy Act. Among other things, the act specifies when state law enforcement agencies may acquire and use data from household electronic devices. The act defines “household electronic data” as information or input provided by a person to a household electronic device that is capable of facilitating electronic communications. (A “household electronic device” excludes personal computing devices and digital gateway devices.) The act generally prohibits law enforcement agencies from obtaining household electronic data “or direct[ing] the acquisition of household electronic data from a private third party.” Exceptions to this prohibition include when a law enforcement agency first obtains a warrant, an emergency situation arises, or the owner of the household electronic device lawfully consents to the acquisition of the data. The act also states that it shall not “be construed to require a person or entity to provide household electronic data to a law enforcement agency,” except as provided under certain provisions outlined in Section 15. The act further requires entities disclosing household electronic data to “take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency, and to limit any production of household electronic data to information responsive to the law enforcement agency request.” Additionally, the act outlines information retention limits, which provide, among other things, that if a law enforcement agency obtains household electronic data and does not file criminal charges, it must destroy the data within 60 days unless subject to certain circumstances. The act is effective January 1, 2022.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Illinois Consumer Protection Enforcement

    Share page with AddThis
  • New York enacts robocall measures

    Privacy, Cyber Risk & Data Security

    On November 8, the New York governor signed measures to help prevent robocalls and increase consumer protections. The measures build upon federal actions to combat robocalls and “will enable telecom companies to prevent these calls from coming in in the first place, as well as empower our state government to ensure that voice service providers are validating who is making these calls so enforcement action can be taken against bad actors,” Governor Kathy Hochul stated.

    S.6267a requires telecommunication companies to block certain calls, including those from (i) numbers that are not valid North American numbering plan numbers; (ii) numbers that are not allocated to a provider by the North American numbering plan administrator or the pooling administrator; and (iii) unused numbers that are allocated to a provider. According to the governor’s press release, the act codifies into state law the provisions of an FCC 2017 rule that took effect in June 2021 and allows telecommunications companies to proactively block calls from certain numbers. (Covered by InfoBytes here.) These types of numbers, the release states, “are indicative of ‘spoofing’ schemes in which the true caller identity is masked behind a fake, invalid number.” The act takes effect immediately.

    The second act, S.4281a, requires voice services providers to authenticate calls using the STIR/SHAKEN call authentication framework. As previously covered by InfoBytes, in 2020, the FCC, pursuant to the TRACED Act, adopted new rules requiring providers to implement the STIR/SHAKEN framework by June 2021. Under New York’s new measure, providers have up to 12 months to implement this framework or an “alternative technology that provides comparable or superior capability to verify and authenticate caller identification in the internet protocol networks of voice service providers.” Violators face a fine of up to $100,000 for each offense per day that the framework is not in place. This act is also effective immediately.

    Privacy/Cyber Risk & Data Security State Issues State Legislation New York Robocalls FCC

    Share page with AddThis
  • New York requires private employers to provide electronic monitoring notice

    Privacy, Cyber Risk & Data Security

    On November 8, the New York governor signed S.2628, which requires employers to notify their employees in writing upon hiring of their intention to monitor or intercept telephone or email conversations or transmissions, or monitor the use or access of other electronic devices. Employers must receive acknowledgement from the employee either in writing or electronically and are also required to post the notice of electronic monitoring in a conspicuous area where it can be viewed by employees. The act applies to any individual, corporation, partnership, firm, or association with a place of business in New York, but does not include the state or political subdivisions of the state. Also exempt are processes “designed to manage the type or volume of incoming or outgoing electronic mail or telephone voice mail or internet usage, that are not targeted to monitor or intercept the electronic mail or telephone voice mail or internet usage of a particular individual, and that are performed solely for the purpose of computer system maintenance and/or protection.” The attorney general is authorized to enforce the act and fine employers found to be in violation of the provisions. The act takes effect in 180 days.

    Privacy/Cyber Risk & Data Security State Issues State Legislation New York

    Share page with AddThis
  • DFPI issues fourth round of draft regulations for commercial financing disclosures

    State Issues

    On November 5, the California Department of Financial Protection and Innovation (DFPI) issued a fourth draft of proposed regulations implementing the requirements of the commercial financing disclosures required by SB 1235 (Chapter 1011, Statutes of 2018). As previously covered by InfoBytes, in 2018, California enacted SB 1235, which requires non-bank lenders and other finance companies to provide written, consumer-style disclosures for certain commercial transactions, including small business loans and merchant cash advances. California released the first draft of the proposed regulations in July 2019, initiated the formal rulemaking process with the Office of Administrative Law in September 2020, and subsequently released second and third rounds of modifications in August and October of this year (covered by InfoBytes here, here, here, and here). The fourth modifications to the proposed regulations follow a consideration of public comments received on the various iterations of the proposed text. Among other things, the proposed modifications amend the term “average monthly cost” to mean the average total amount paid by the recipient (for periodic and irregular payments) over a contract’s term divided by the number of months specified in the contract. Providers may divide the number of days in the contract term by 30.4 to determine the number of months in the contract term. This calculation may also be used to determine the “estimated monthly cost.” Comments on the fourth modifications must be received by November 22.

    State Issues State Regulators DFPI Commercial Finance California Disclosures Consumer Finance Nonbank

    Share page with AddThis
  • Kansas AG fines companies for unlawful data disposal

    State Issues

    On November 1, the Kansas attorney general ordered three national companies that manage business documents to pay fines totaling nearly $500,000 for the alleged unlawful disposal of records containing consumers’ personal information. According to the Kansas AG, the companies violated the Kansas Consumer Protection Act and the Wayne Owen Act by repeatedly disposing of records in unsecured trash receptacles without “rendering the personal information unreadable or undecipherable.” By engaging in these actions, the AG stated, the companies failed to comply with the requirements that companies implement and maintain reasonable policies and procedures and exercise reasonable care to protect personal information from unauthorized access and use, and take reasonable steps to destroy records containing personal information when they are no longer needed. Under the terms of the consent judgments (see here, here, and here), the companies must pay the fine, implement measures to ensure the proper disposal of documents, conduct employee training on the proper handling and disposal of personal information, and evaluate their information security programs and policies to ensure personal information is protected.

    State Issues State Attorney General Enforcement Privacy/Cyber Risk & Data Security Consumer Protection Kansas

    Share page with AddThis
  • California AG takes action against casino for AML violations

    State Issues

    On November 5, the California attorney general filed an administrative accusation with the California Gambling Control Commission against a California casino for violating the Bank Secrecy Act’s (BSA) anti-money laundering provisions. The action, which follows a federal investigation, alleges that the casino “overlooked, neglected, or was willfully blind to accusations and actions taken against other casinos for violations of the BSA and for failing to maintain adequate Anti Money Laundering (AML) programs.” The casino had previously entered into a Non-Prosecution Agreement with the U.S. Attorney’s Office for the Central District of California, accepted responsibility for “failing to properly file reports for a foreign national who conducted millions of dollars in cash transactions at the casino,” and agreed to pay $500,000 and undergo an increased review of its AML compliance program to prevent future violations, according to a DOJ press release. The California AG now seeks to hold the casino and its owners responsible for state law violations.

    State Issues State Attorney General Financial Crimes Anti-Money Laundering Bank Secrecy Act Enforcement DOJ California

    Share page with AddThis
  • District Court grants preliminary approval in BIPA settlement


    On November 4, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims that a plasma donation center (defendant) unlawfully collected and stored the fingerprints of blood plasma donors. According to the memorandum of law in support of the plaintiff’s motion for preliminary approval, the plaintiff filed the proposed class action in 2019, alleging the defendant violated the Illinois’ Biometric Information Privacy Act (BIPA) by collecting thousands of fingerprints through a finger-scanning donor identification system without providing proper disclosures or obtaining informed written consent. The plaintiff further alleged that the defendant required her (and thousands of Illinois blood plasma donors) to provide a fingerprint to donate plasma, which was later used for identification on subsequent visits. The plaintiff alleged that by not requiring her informed consent and by disclosing her information to a third party, the defendant’s practice violated BIPA. According to the plaintiff’s motion, the settlement (if approved) would establish a settlement class of 76,826 Illinois blood plasma donors who were required to scan their finger at the defendant’s Illinois facilities prior to donating plasma. The settlement would provide payouts of approximately $400 to $800 per class member, assuming a claims rate of 10 percent to 20 percent, and permit class counsel to file for up to 35 percent of the settlement fund for attorney fees.

    Courts Class Action BIPA State Issues Illinois Privacy/Cyber Risk & Data Security Settlement

    Share page with AddThis